Security Basics mailing list archives

Re: Ethics Question

From: Suzanne Rodday <srodday () alum wellesley edu>
Date: Thu, 21 Aug 2003 18:39:07 -0400

You might want to read the article on Security Focus(http://www.securityfocus.com/columnists/179) as this article talksabout a similar situation... "The Sad Take of a SecurityWhistleblower"


-Suzanne


At 2:04 PM -0400 8/21/03, Adam Newhard wrote:

Anonymously report it to that company...either through untraceable email or
usps...preferably usps as you're guaranteed it won't be sent back through
you.  Your only concern is that your old boss knows you mentioned it so
that's the only way it's traceable to you (that and bugtraq mail is
googled...a quick search on there and there's viable evidence of what you
may do in the future for your old boss to accuse you of whatever he may feel
plausible...i.e. if someone uses the exploit well then that certainly sucks
for you if you mention it).  if other people have mentioned it to him then
that's another story.

do it anonymously if you do decide to do it...your concern shouldn't be
getting public recognition.
adam
----------------------------------------------------
Adam Newhard
Microstrain, Inc.
If vegetarians eat vegetables, watch out for humanitarians

----- Original Message -----
From: "Mike Taylor" <mtaylor () ablenology com>
To: <security-basics () securityfocus com>
Sent: Wednesday, August 20, 2003 10:54 PM
Subject: Ethics Question

 Hello all

 Question I have is do I tell a company that I did work for that a system
 they have is not secure. Background I worked for Company X(left them

because

 I could not get paid regularly) they have a contract to support and keep
 secure Company Y. I noticed on an audit that the machine that is used for
 finances is VERY insecure. It is a terminal server machine that is set up

so

 that 2 people can get to it from the outside. When you remote to this
 machine it bypass's login and gives you a blank desktop with the finance
 package login. To bypass all you have to do is send a ctrl-shit-esc get

the

 task manager and file run -explorer and you have a machine that can browse
 the whole network.

 I had brought this to my then boss's attention he said don't mention it we
 will fix it later. The hole is still there.

 What would you do ?

 Thanks,

 Mike



 --------------------------------------------------------------------------

-
 > --------------------------------------------------------------------------
--
 >
 >



--



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Purging Blaster.worm, (continued)
- - - Re: Purging Blaster.worm Todd (Aug 14)
    - RE: Purging Blaster.worm Alexander Suhovey (Aug 16)
    - RE: Purging Blaster.worm TheFueley (Aug 15)
    - Re: Purging Blaster.worm Meritt James (Aug 15)
    - RE: Purging Blaster.worm Stuart (Aug 16)
    - Re: Purging Blaster.worm Meritt James (Aug 14)
    - Re: Purging Blaster.worm Meritt James (Aug 19)
    - RE: Purging Blaster.worm David Gillett (Aug 19)
    - Ethics Question Mike Taylor (Aug 21)
    - Re: Ethics Question Adam Newhard (Aug 21)
    - Re: Ethics Question Suzanne Rodday (Aug 21)
    - Re: Ethics Question Sebastian Schneider (Aug 22)
    - Re: Ethics Question Michael Thornhill (Aug 21)
    - Re: Ethics Question Schneider Sebastian (Aug 21)
    - Re: Ethics Question Paul Ledin (Aug 22)
- Re: Purging Blaster.worm Martchukov Anton (Aug 13)
  - Re: Purging Blaster.worm Ansgar Wiechers (Aug 16)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- RE: Purging Blaster.worm Blaxes (Aug 16)
- RE: Purging Blaster.worm Preston, Tony (Aug 13)
  - RE: Purging Blaster.worm Rory (Aug 13)

(Thread continues...)